ENTERED INTO BY:
Lennd Inc. (doing business as Sessionboard);
Customer, as identified in the Main Agreement (defined below).
Each a “party,” together the “parties.”
The parties have entered into an agreement for Sessionboard and, where applicable, its Affiliates to provide certain services to the Customer (the “Main Agreement”). This data processing addendum (the “DPA”) sets forth the terms on which the parties will collect and process personal data in connection with the Service and is hereby incorporated into the Main Agreement by reference.
Customer and Sessionboard each act as an independent controller of Participant Data. In all other circumstances, Customer is the controller of Customer Data and Sessionboard is the processor.
APPLICATION OF THIS DPA
This DPA describes the commitments of Sessionboard and Customer concerning the processing of personal data in connection with the provision of the Service contemplated by the Main Agreement.
This DPA will apply to the processing of personal data under the Main Agreement, to the extent that such processing is subject to Data Protection Legislation, and takes effect from the date of the Main Agreement.
Where other language versions of this document exist, the English version will control.
DESCRIPTION OF DATA PROCESSING
Processing of personal data related to the Service as described in the Main Agreement.
Nature and purpose
Processing of personal data to provide the Service as described in the Main Agreement.
Duration and Frequency
Term of the Main Agreement or for as long as Sessionboard is permitted or required to retain the personal data. Personal data will be transferred continuously where necessary to provide the Service to the Customer.
Types of personal data
“Participant Data” is any personal data relating to individuals in the creation of a Sessionboard account (or other means of access) to attend or engage with an event via the Service such as (a) first and last name; (b) contact details; (c) event participation information (e.g event name, time and date); (d) IP address; (e) any additional personal data provided directly to Sessionboard when registering for and engaging with the Service; and (f) any usage data, including metadata relating to an individual's interaction with the Service (e.g. length of visit, navigation paths, page views, page interaction information, timing, frequency and patterns of use).
“Event Data” is (a) any personal data contained in materials submitted by Customer in the course of creating or during an event (e.g. speaker bios).
Categories of Data Subject
Individuals who participate in events (e.g. event admins, speakers, exhibitors, sponsors).
Individuals whose personal data is contained in Event Data.
“Affiliates” means any entity which directly or indirectly controls, is controlled by, or is under common control with the subject entity and which provides the Service.
“Controller”, “processor”, “data subject”, “personal data”, “personal data breach”, “processing,” “service provider” and “appropriate technical and organiszational measures” are as defined in the Data Protection Legislation. “Personal data” includes “personal information” as defined by the CCPA. “Controller” shall also include the definition of “Business” for purposes of the CCPA.
“Customer Data” means Event Data.
“Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time including (i) the General Data Protection Regulation ((EU) 2016/679) (“EU GDPR”); (ii) the General Data Protection Regulation ((EU) 2016/679) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)) (“UK GDPR”); (iii) the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC); (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); and (v) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., including its regulations and the amendments made by the California Privacy Rights Act of 2020 (“CCPA”); in each case as may be amended or superseded from time to time.
“EU C-to-P Transfer Clauses” means the EU SCCs sections I, II, III and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor).
“Restricted Transfer” means a transfer of personal data under this DPA from the European Economic Area, Switzerland, or United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of applicable laws of the foregoing territories, to the extent such transfers are subject to such applicable laws.
“Standard Contractual Clauses” means (i) where the EU GDPR applies, the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en (“EU SCCs”) and (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”).
“Service” has the meaning set forth in the Main Agreement but may include the Sessionboard event technology platform and service.
1. Compliance with Data Protection Legislation
1.1 Both parties will comply with all applicable requirements of the Data Protection Legislation.
2 Customer’s Responsibilities
2.1 Customer will ensure that it has all necessary and appropriate consents and notices in place to enable lawful disclosure of Customer Data to Sessionboard and/or lawful collection or processing of Customer Data by Sessionboard on behalf of Customer for the purposes of this DPA. Customer will not instruct Sessionboard to process any personal data, including Customer Data, in violation of Data Protection Legislation.
3. Sessionboard's Responsibilities
3.1 Sessionboard shall comply with the requirements below, in relation to any Customer Data processed by Sessionboard as a processor on behalf of Customer as a controller:
3.1.1 Instructions: Sessionboard shall: (i) process Customer Data only on the documented written instructions of Customer, which include this DPA and the Main Agreement, unless Sessionboard is required by applicable laws to otherwise process Customer Data; (ii) where Sessionboard is relying on applicable laws as the basis for processing Customer Data, Sessionboard shall promptly notify Customer of this in advance, unless those applicable laws prohibit Sessionboard from doing so; and (iii) inform the Customer promptly if, in Sessionboard's opinion, an instruction from the Customer infringes (or, if acted upon, might cause an infringement of) Data Protection Legislation;
3.1.2 Security: Sessionboard shall ensure that it has in place appropriate technical and organizational measures provided in https://www.sessionboard.com/legal/security-policy (the “Security Measures”), to protect against unauthorized or unlawful processing of Customer Data and against accidental loss or destruction of, or damage to, Customer Data, appropriate to: the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage of the data; and the nature of the data to be protected, in all cases having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymizing and encrypting Customer Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Customer Data can be restored in a timely manner after a personal data breach, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it);
3.1.3 Confidentiality of processing: Sessionboard shall ensure that all personnel who have access to and/or process Customer Data are subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty);
3.1.4 Cooperation and data subject rights: Sessionboard shall assist Customer, at the Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to personal data breach notifications, impact assessments and consultations with supervisory authorities or regulators;
3.1.5 Personal data breaches: Sessionboard shall notify the Customer without undue delay on becoming aware of a personal data breach of Customer Data;
3.1.6 Deletion or return of data: Sessionboard shall, at the written direction of the Customer, delete or return Customer Data to the Customer, on termination of the DPA unless required by applicable laws to store the Customer Data;
3.1.7 Accountability: Sessionboard shall maintain complete and accurate records and information to demonstrate its compliance with Data Protection Legislation and provide the Customer with appropriate evidence at its reasonable request; and
3.1.8 Audits: Sessionboard shall allow for audits by the Customer’s designated auditor to be agreed with Sessionboard in advance, only so far as is necessary in order to demonstrate compliance with this DPA, provided that: the Customer provides Sessionboard with no less than 30 days’ notice of such audit or inspection; it is conducted at Customer’s sole expense; and the parties agree to the scope, duration, and purpose of such audit or inspection in advance, including reasonable reimbursement of Sessionboard for time expended by Sessionboard or its sub-processors. Customer’s designated auditor shall conduct its audit in a manner that will result in minimal disruption to Sessionboard's business operations and shall not be entitled to receive or obtain access to any system that also stores the data or information of other clients or customers of Sessionboard or any other confidential information of Sessionboard that is not directly relevant for the authorized purposes of the audit. If the Customer becomes privy to any confidential information of Sessionboard as a result of this Section 3.1.8, the Customer shall hold such confidential information in confidence and, unless required by law, not make the confidential information available to any third party, or use it for any other purpose. The Customer acknowledges that Sessionboard shall only be required to use reasonable endeavors to assist the Customer in procuring access to any third party assets, records or information as part of any audit.
4. Third party processors
4.1 The Customer acknowledges and consents generally to the appointment by Sessionboard of third parties as sub-processors of Customer Data being processed under this DPA. The names and locations of sub-processors used for the processing to support the Service under this DPA are listed at https://www.sessionboard.com/legal/security-policy.
4.2 Sessionboard confirms that: (a) it shall impose on all sub-processors substantially the same data protection obligations as set out in this DPA; and (b) Sessionboard shall remain fully liable for the actions of its sub-processors at all times.
4.3 Sessionboard shall give Customer notice of the appointment of any new sub-processors by updating the lists of sub-processors referenced in Section 4.1 above. Customer may reasonably object to such appointments within 10 US business days of such notice for important reasons relating to data protection which have been proven to Sessionboard. If Customer objects to such changes on this basis, Customer will give Sessionboard the opportunity to make a change in the service or recommend a commercially reasonable change to Customer’s configuration to avoid processing of Customer Data by the objected-to new sub-processor without unreasonably burdening Customer. Insofar as the Customer does not object within 10 days after the notification date, the Customer’s right to object to the corresponding engagement lapses. If the Customer objects in accordance with this Section 4.3, Sessionboard is entitled to terminate the Main Agreement on reasonable notice.
5. Restricted Transfers
5.1 Insofar as the Service leads to a Restricted Transfer, Sessionboard and Customer hereby enter into the EU C-to-P Transfer Clauses and the UK Addendum (where applicable) on the basis that the exporter is Customer and the importer is Sessionboard, Inc. and on the basis that:
(a) To the extent that Customer is located in the EU and/or the personal data is protected by the EU GDPR, the EU C-to-P Transfer Clauses will be completed as follows:
(i) in Clause 7, the optional docking clause will not apply;
(ii) in Clause 9, Option 2 will apply, and pursuant to clause 9(1) Customer acknowledges and agrees that Sessionboard may engage new sub-processors in the manner described in this DPA and the notice period will be 10 US business days;
(iii) in Clause 11, the optional language will not apply;
(iv) in Clause 17, the EU C-to-P Transfer Clauses will be governed by the jurisdiction of Ireland;
(v) in Clause 18, disputes shall be resolved before the courts in the jurisdiction of Ireland;
(iv) the competent supervisory authority shall be the Irish Data Protection Commission;
(vii) for the purposes of Annex I to the EU C-to-P Transfer Clauses: (a) the categories of data transferred are Event Data (as defined above); and (b) the categories of data subject, subject matter, nature and purpose and duration and frequency of the transfer and retention are set out above under “Description of Data Processing”. It is not anticipated that sensitive data will be transferred; and
(viii) For the purpose of Annex II the security measures are specified at https://www.sessionboard.com/legal/security-policy, which are hereby incorporated by reference.
(b) To the extent the Customer is located in the UK and/or the personal data is protected by the UK GDPR, the UK Addendum will apply as follows:
(i) The EU C-to-P Transfer Clauses (as amended as specified by Part 2 of the UK Addendum) are completed as set out above in Section 5.1(a); and
(ii) Tables 1 to 3 of the UK Addendum shall be deemed completed with the information set out above in Section 5.1(a) (as applicable) and table 4 in Part 1 shall be deemed completed by selecting "data importer".
5.2 To the extent there is any conflict between this DPA and/or the Main Agreement with any applicable Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
5.3 To the extent that Sessionboard adopts an alternative data transfer mechanism (including any new version of or successor to the Standard Contractual Clauses) ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall upon notice to Customer and an opportunity to object, apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Data Protection Legislation applicable to the EU and/or the UK and extends to territories to which Customer Data is transferred).
6.1 With regard to personal data in Customer Data that is subject to the CCPA, Sessionboard shall:
(a) comply with all applicable provisions of the CCPA;
(b) not sell or share the personal data (as the terms “sell” and “share” are defined under the CCPA); receive any personal data as consideration for any service provided by Sessionboard as a service provider under this DPA; or take any action that would cause any provision of personal data to Sessionboard by the Customer to qualify as "selling” personal data under the CCPA or any other applicable Data Protection Legislation;
(c) not collect, retain, share or use any personal data outside the direct business relationship between Customer and Sessionboard, or for any purpose (including any commercial purpose) other than to provide and operate the Service (including, without limitation, to the extent requested by Customer and to facilitate events through the Sessionboard platform);
(d) comply with any applicable restrictions under the CCPA on combining personal data in Customer Data with personal data that Sessionboard receives from, or on behalf of, another person or persons, or that Sessionboard collects from any interaction between it and any individual;
(e) provide personal data with the level of protection that is required of the businesses under the CCPA; and
(f) promptly inform Customer if Sessionboard is no longer able to meet its obligations under the CCPA.
6.2 Sessionboard certifies that it understands and will comply with the requirements of this DPA, including this Section 6.
6.3 Customer retains the right to take reasonable and appropriate steps to (a) ensure that Sessionboard processes personal data subject to the CCPA contained in Customer Data in a manner consistent with the CCPA, and (b) upon notice, stop and remediate unauthorized processing of such personal data.
7.1 This DPA is subject to the terms of the Main Agreement and is incorporated into the Main Agreement. In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Main Agreement, the provisions of this DPA will prevail to the extent of such conflict or ambiguity. This DPA will remain in full force and effect so long as the Main Agreement remains in effect.
7.2 If any provision in this DPA is ineffective or void, this shall not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. In case a necessary provision is missing, the parties shall add an appropriate one in good faith.
7.3 This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of the United States.
7.4 Each party irrevocably agrees that the courts of United States have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with this DPA or its subject matter or formation.
Last Modified: July 6, 2023